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© Method for executing number-theoretic cryptographic and/or error-correcting protocols. 

© Different methods for access control, digital signature and identification are known which use modular 
multiplications. A protocol is presented which can be executed in the same time as a Fiat-Shamir scheme where 
all modular multiplications are replaced by standard multiplications. The advantage of the new method over the 
classical Fiat-Shamir protocol is that computations are done in a much quicker way. 



< 

in 
o 

00 

rs 
in 

o 

CL 
LU 



Rank Xerox (UK) Business Services 
13. 10/3.6/3.3. II 



02/13/1999 10:09:35 page -1- 



EP 0 578 059 A1 

The present invention relates to a method for executing number-theoretic cryptographic and/or error- 
correcting protocols. 

Background 

5 

Montgomery's algorithm described in "Modular Multiplication without Trial Division", Mathematics of 
Computation, vol 44, pp 519-521, is a process for computing A"B"2~l n l modulo n in 0(Log(n)) memory space 
(0: order). 

In Fiat, Feige and Shamir, "Zero-Knowledge Proofs of Identity", Journal of Cryptology, vol 1, pp. 77-94, an 
ro authentication scheme (Fiat-Shamir) is described. 
See also EP-A-0252499 and EP-A-0325238. 

Invention 

75 It is one object of the invention to disclose a method of constructing a Fiat-Shamir-like authentication 
scheme suitable for Montgomery environments without introducing any overhead in the number of modular 
multiplications requested for the execution of the normal protocol. This object is reached by the method 
disclosed in claim 1. 

A very recent result described in Arazi, "Modular Multiplication is Equivalent in Complexity to a 
20 Standard Multiplication", Fortress U&T Internal Report (1992), Fortress U&T Information Safeguards, P.O. 
Box 1350, Beer-Sheva, IL-84110, Israel, establishes (in a constructive way) that A*B"2~' n l mod n can be 
computed with the same complexity (timewise and hardwarewise) as A'B (not mod n). 
This theoretical reduction of the problem of modular multiplication, recently applied to the design of today's 
fastest hardware modular multiplier, is very important since it implies that the protocol presented hereafter 
25 can be executed in the same time as a Fiat-Shamir scheme where all modular multiplications are replaced 
by standard multiplications. 

The fact that no constants are to be precalculated beforehand and the small amount of RAM requested for 
software implementation of the new protocol makes it highly convenient for smart-card applications, e.g. in 
pay TV systems. 

30 The advantage of the new method over the classical Fiat-Shamir protocol is that computations are done in a 
much quicker way. Also, the same philosophy can be applied in order to transform or adapt other number- 
theoretic schemes for quick execution. 

All along this application, |n| denotes the length of n (in bits) and ||n[| the Hamming weight of n. 
In Montgomery's algorithm for modular multiplication mentioned above it is assumed that n is odd. No other 

35 restrictions are imposed on the modulus. 

Very much simplified, this algorithm 'Kerne!' works as follows: 
Let X[i] denote X's i th bit (with X[0] as LSB) and K = 4' n i mod n. 

^ Kernel(A, B) 

f 

c = O 

For i = 0 to | n| -1 
45 If A[i] == 1 then c = c + B 

If c[i] == 1 then c = c + n 
c = c/2 

50 If c £ n then c = c - n 

Return(c) 

1 

55 

It can be shown from the Montgomery reference cited above that c = A'B'2"' n l mod n and that: 
Kernel(K, Kernel(A, B)) = A'B mod n. 

2 
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30 



35 



A more comprehensive and complete approach is presented by Ara2i mentioned above, where it is formally 
shown how to reduce the complexity of the computation Kernel(A, B) into that of A*B. 
If it is possible to transform the Fiat-Shamir scheme in such a way that the Montgomery parasites (2~' n l)-will 
not disturb the protocol {using only one Kernel operation instead of each modular multiplication), then it 
would be possible to perform the Fiat-Shamir scheme in about the half of the time requested with a full 
Montgomery multiplier. 

Moreover, the precalculation or usage of the constant K of the Montgomery method is not required. 
This approach to the problem is somewhat new since by opposition to the classical process of designing 
computational tools for comfortable execution of number-theoretic protocols, here a cryptographic scheme 
is transformed in order to meet a given computational limitation. 

Advantageously after a proper modification of the relation between the public and the secret keys the 
Montgomery parasites can be used helpful instead of being disturbing. 

From now on D will denote the parasite factor 2"'"' mod n and it is assumed the availability of a half 
Montgomery multiplier (that is a Kernel procedure performing only the operation A'B'D mod n). 

The Fiat-Shamir public v,-s is redefined by: D^vj's 2 ] » 1mod n . 
It is assumed that the Vj's are already known to the verifier (for instance by Fiat and Shamir's F(IDJ) 
method). 
Step 1 : 

A prover device picks a random number R and computes Z = R 2 D mod n = Kernel(R, R) and sends it 
to a verifier device. 
Step 2: 

The verifier device sends the random binary vector e to the prover device. 
Step 3: 

The prover- device computes and sends to the verifier device: 



y = r JI s.D^ 6 ^ mod n . 



This value is easily computed by: 

y = Kernel(s Ml Kernel(s (2 ,...Kernel(Si|| e[ i 1 r))...)- 

Here the ij's denote the ||e|| indices selected by vector e. 
Step 4: 

The verifier device computes (in a similar way to that of the previous step): 

A = Kernel(v i]L/ Kernel ( v ±2 , ... Kernel (v ± | j e | | , Kernel(y, 
Y)))...) 

= y 2 D n v.d' I e l ' -1 D mod n 



r 2 n v.s.VIMIdIMId 



-nil 
e . =1 

1 



mod n 



= r 2 IT v . s . 2 D 3 I I e I I D mod n = r 2 D mod n 
so e = i 3 3 

i 

and tests if A = Z. 

The prover device can be a smart card comprising a microprocessor and RAM means and storing in 
55 non-volatile memory means the secret keys s ( and the modulus n, whereby the smart card is connected via 
a smart card reader to a pay TV decoder comprising the verifier device which evaluates the public key v 
and stores also the modulus n in memory means. 
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In principle the inventive method consists in computing number-theoretic cryptographic and/or error- 
correcting protocols using a prover device storing in memory means secret keys Sj and a modulus n. and a 
verifier device which evaluates a set of public keys v 1( whereby the relation between the public keys vj and 
the secret keys Sj is modified in such a way that parasites induced by the usage of a Montgomery-like 
5 modular multiplication method are met or cancelled. 

Advantageous additional embodiments of the inventive method are resulting from the respective 
dependent claims. 

Preferred embodiments 

io 

Similarly, the invention can be applied to the Rat-Shamir digital signature method as well. 
In Quisquater and Guillou, "A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor 
Minimizing Both Transmission and Memory", Proceedings of Eurocrypt'88 Lecture Notes in Computer 
Science, Springer-Verlag (Ed. C.C. Gunther) 330 (1988), pp. 123-128, a second very popular authentication 
T5 scheme is described. The original Quisquater-Guillou identification scheme is the following: 

The basic relationship between the secret key B and a user's (prover device) identity ID is: f(ID)*B v = 1 
mod n. Another short name for f(ID) is J. The parameter v is decided by the authority. 
Step 1: 

The prover device picks a random number r and sends his ID and T = r v mod n to the verifier device. 
20 Step 2: 

The verifier device picks a random d<v, computes J =f(ID) and sends d to the prover device. 
Step 3: 

The prover device computes and sends U = r*B d mod n to the verifier device. 
. Step 4: 

25 The verifier device checks that T = J d U v mod n. 
This identity should hold since: 

J d U v = J d (r"B d ) v = (J'B v,d r v = 1 d r v = r v = T mod n. 

30 

By applying the inventive method here the computation can be accelerated using a half Montgomery 
multiplier (processor). Again, the relationship between the public and the secret keys is modified: f(ID>- 
.gvQv+i = 1 mocl n) fc ut exac t|y the same protocol is executed while replacing the multiplications by Kernel 
operations: 
35 Step 1: 

The prover device picks a random number r and sends his ID and T = r v D v_1 mod n to the verifier 
device. The factor D v_1 is added by the classical square-and-multiply exponentiation algorithm where all 

multiplications are replaced by Kernel procedures. More precisely, this Kernel Exponentiation algorithm _ 

is: 

40 



45 



55 
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Kernel_Exponentiation(A, p) 

J 

Accuml = A 
x - 1 

While (p not equal 0) 
I 

Accuml = Kernel (Accuml, Accuml) 
If p[0] == 1 .then x = Kernel(x, Accuml) 
. ShiftToTheRight(p) 
1 

Return(x) 



Therefrom it can be easily proved that: 

Kernel Exponentiation(A, p) = A P D P ~ 1 mod n (T is obtained by Kernel Exponentiation(r, v)). 

25 

Step 2: The verifier device picks a random d<v, computes J = f(ID) and sends. d to the prover device. 
Step 3: 

The prover device computes and sends U = r*B d D d mod n to the verifier device. 

U is computed by: Kerne!{Kernel Exponentiation(B, d), r) 

30 Step 4: 

The verifier device checks that T = j d U v D d+v * 1 mod n. 
The value J d U v D d+v-t is computed by: 

KernelfKernel Exponentiation(J, d). Kernel Exponentiation(U, v)) 

This test should be true since: 



35 



55 



M^ 1 = J d (r*B d D d )V* ,, - l '= (J*B V ) d r V D d * V ^ +V - 1 = 
D -d(v + l) r v D d(v + l) D v-l = r v D v-l = T _ 

Schnorr, "Efficient Identification and Signatures for Smart Cards", Proceedings of Eurocrypt'89 Lecture 
Notes in computer Science, Springer- Verlag (Ed. G. Brassard) 435 (1990), pp. 239-252, (see also EP-A- 
0384475) is a system where the relation between the public (v) and the secret (s) keys is v = a" 5 mod p. 
a is chosen by the authority in such a way that a q = 1 mod p. q is a public key published by the authority. 
Step 1 : 

The prover device picks a random r, computes x = a r mod p and sends x to the verifier device. 
Step 2: 

The verifier device picks a random e and sends it to the prover device. 
Step 3: 

The prover device sends back y = r + s'e mod q. 
Step 4: 

The verifier device tests that x = o y y e mod p. 

The inventive method can be applied again in order to shorten the computation time. The only 
modification to introduce is in the relationship between the public and secret keys which becomes: 

v'D s+ V = 1 mod p. 
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Step 1: 

The prover device picks a random r. computes x = a f D f_1 mod.p and sends x to the verifier device, 
x = Kernel_Exponentiation(a, r) 



Step 2: 

The verifier device picks a random e and sends it to the prover device. 
Step 3: 

The prover device sends back y = r + s"e mod q 
Step 4: 

The verifier device checks that x = a y v e D y+e_1 mod p by testing that: 

x = Kernel (Kernel Exponentiation^, y), Kernel_Exponentia tion(v, e)). 

This test should be true since: 



a Y v e D y+e-l = o r + s*e v e D y + e-l = 
a r + s*e (a -s D -(l + s) )eD y + e-l = 
a .r D -( S+ l)e D r + s*e + e-l = 



= X . 



The signature scheme disclosed in El Gamal, "A public-key cryptosystem and a signature scheme 
25 based on the discrete logarithm", IEEE Transactions on Information Theory, vol. 31, No. 4, pp. 469-472, 
1985, is based on the discrete logarithm problem. 

The public key is defined as an integer p = g s mod q, where s is the user's secret key and p, q and g are 
public. For signing a message m, the user picks a random number k, computes u = g k mod q and 
computes v such that m = s*u + k"v mod (q-1). {u t v} is the signature of message m. 
30 Upon reception, the validity of the signature can be checked since 

p u u v = g s*u g k*v = g s*u g m-s*u = g m mod g and m and g 

35 are available. 

In order to take advantage of the inventive Kernel Exponentiation procedure without modifying the protocol, 

the public key is just redefined as p = g s D s ~ 1 mod q. 

p can be easily computed by Kernel Exponentiation(g, s). For signing, the user will pick a random k and 

compute u = g k D k ~ 1 mod q = Kernel_Exponentiation(g, k). whilst the definition of v remains the same 
40 (namely: m = s'u + kVmod (q-1)). For checking the validity of the signature, the receiver will compute: 

Kernel (Kernel_Exponentiation(p, u)~ Kernel._Exponentiation(u, 



v)) = 

(p U D U - 1 )(u V D V " 1 )D = .(pV^MuV') = (pV'^gV-^V = 

(p U D U - 1 )(g k D k ) V = (p U D u - 1 )(g*D) k * v = (pV 1 ) ( g*D) m -* U = 

, s^s- 1 . u^u-1 m-s*u_m-s*u s*u_s*u r .-u_u-l m-s*u_m-s*u _ 
(gD)Dg D -= g D D D g D — 

gV""* 1 mod q, 



and will naturally compare this value to the result of: 

55 Kernel Exponenttation(g, m). 

The Digital Signature Standard (DSS) is an upraising new standard for message signature. Very much 
simplified, the DSS works as follows: 



02/13/1999 10:09:35 page -6- 



70 



20 



35 



BP 0 578 059 A1 

Two primes, p and q, and an integer g are selected, y = g x mod p is computed and p, q, g and y are 

■published, x is the user's private key. 

The procedure for signing the message M is the following: 

The signer device hashes message M into a compressed string m. 

The signer device computes r - (g k mod p) mod q and s = (m + x"r)/k mod q and sends the signature .{r, 
s} to the verifier device. 

The verifier device will control the signature by checking that 

m*sE(-l) mod q r*sE(-l) .mod g, . . , 
((g v ' ^) mod p) mod q = .r, 

with sE(-1) = s -1 . 

In order to adapt this process to the inventive method, only the relation between the keys is modified, 
but two different Kernel procedures will be distinguished: 
Kernel q (A, B) computing A*BV mod q and. 
Kernel p (A, B) computing A'B'D mod p. 

Here is the new protocol: Redefine y = g^D** -1 mod p. The signer device computes: 

r1 = Kernel Exponentiation p (g. k) = g k D k " 1 mod p, 

r = Kernel q (r1, 1) = (g k D k_1 mod p)tf mod q and 
s = Kerne! q {1/k, {m + Kerne! q (x, r))) = 
tf(m + x*r"t?)/k mod q 

and sends the signature {r, s} to the verifier device. 

The verifier device will control the signature by computing: 

w = s" 1 mod q 

u1 = Kernel q (m, w) = m w mod q 

u2 = Kernel q (r, w) = r w i? mod q 

vl = Kernel_Exponentiation p (g, u1) = g^D 01 " 1 mod p 

v2 = Kernei__Exponentiation p (y, u2) = y^D 02 " 1 mod p 

v3 = Kernel p (v1, v2) = g ul D ul " V 2 D u2 - ] D mod p = g ui y u2 D ui + u2-i mod p = gU i (g »x D «-i )U 2 D ui + u2-i mod 

p _ g mw*g*xiw* D *x{u2+ui-l) mo( j p = g wtm* + xr**) D *x(u2+ij1-1) mQd p - g^D^" 2 * u1 " T) mod p = D* xrw * +mw * _1 g k 

mod p = g k D k " 1 mod p 

v = Kernel q (v3, 1) = (g k D k_1 mod p)t? mod q 

and will compare that: v = r. 

For r the signer can also compute. 



40 x - (g k D k_1 mod p)CV mod q 

with checking by the verifier device that v3*i?*C = r mod q. where C is an arbitrary constant. 
For r the signer can also compute 

45 r = (g k D k_1 mod p)1(M)V mod q 

with checking by the verifier device that v3V"f(M) = r mod q, where f(M) is a public function of the 
message to sign. 

Advantageously with no extra cost (compared to the original DSS) the security of the proposed scheme 
so can be improved since the steps: 

r = Kernel q (r1, 1) (when computing the signature) and 

v = Kernel q (v3 t 1 ) (when verifying the signature) can be respectively replaced by: 
r = Kernel q (rl , f(m)) (when computing the signature) and 
v = Kernel q (v3, f(m)) (when verifying the signature), 
55 where f denotes any public function (e.g. |q| LBS bits of m). 

With a 68HC05 type microprocessor running at 3.5MHz the Kernel operation (for 512 bit numbers) was 
implemented in less than 135ms, FIAM usage is less than 70 bytes. A special Kernel-Squaring version runs 
at 85ms but requires a double RAM space. 
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In the article of Arazi cited above it is shown that "It is possible to compute A'B'D mod n in |nj + 1 clock 
cycles. That is, a modular multiplication is performed with the same complexity (timewise and hard- 
warewise) as that of a standard multiplication operation". 

It is thus possible to execute a Fiat-Shamir identity check (and signature, with similar modifications of the 
s -scheme) in hardware and time equivalent to that required for the execution of the protocols without modular 
reductions. 

The same strategy of modifying the relationship between public and secret keys in order to meet or 
cancel the effect of parasite constants introduced, by modular reduction tools can be applied to a big variety 
of number-theoretic authentication and signature protocols. 
10 The invention can also be used for banking, access control or military applications. 

Claims 

1. Method for executing number-theoretic cryptographic and/or error-correcting protocols using a prover 
75 device - e.g. a smart card - storing in memory means secret key and a modulus, and a verifier device 
which evaluates public keys, characterized in that the relation between the public keys (vj) and the 
secret keys (Sj) is modified in such a way that parasites induced by the usage of a Montgomery-like 
modular multiplication method are met or cancelled. 

20 2. Method according to claim 1, characterized in that in the Fiat-Shamir protocol for digital signature 
and/or identification: . 

- replacing alt the modular multiplication operations by a kernel operation taking as input a couple 
of numbers A and B and outputting the number A'B'D mod n, where D is a constant parasite 
factor and n is a standard Fiat-Shamir modulus; 

25 - replacing the relationship between the public and the secret keys by D 3 vjSj 2 = 1 mod n. 

3. Method according to claim 1, characterized in that in the Quisquater-Guillou protocol for digital 
signature and/or identification: 

- replacing all the modular multiplication operations by a kernel operation taking as input a couple 
30 of numbers A and B and outputting the number A"B*D mod n, where D is a constant parasite 

factor and n is a Quisquater-Guillou modulus; 

- replacing the relationship between the public and the secret keys by f(ID) (B"D) V D = 1 mod n. 

4. Method according to claim 1, characterized in that in the Schnorr protocol for digital signature and/or 
35 identification: 

- replacing all the modular multiplication operations by a kernel operation taking as input a couple 
of numbers A and B and outputting the number A'B'D mod n, where D is a constant parasite 
factor and p is the standard Schnorr prime modulus; 

- replacing the relationship between the public and the secret keys by v"D s ' K1 a s = 1 mod p. 

40 

5. Method according to claim 1, characterized In that in the El-Gamal protocol for digital signature and/or 
identification: 

- replacing all the modular multiplication operations by a kernel operation taking as input a couple 
of numbers A and B and outputting the number A'B'D mod n, where D is a constant parasite 

45 factor and q is the standard El-Gamal prime modulus; 

- replacing the- relationship between the public and the secret keys by g 5 D s ~ 1 = 1 mod q; 

- replacing the definition of u by u = g k D k-1 mod q. 

6. Method according to claim 1, characterized in that in the Digital Signature Standard:* 
so a) Hashing by the prover device a message M to sign into a compressed string m; 

b) Computing by the prover device r = (g k D k-1 mod p) mod q; 

c) Computing by the prover device s = t?(m + x*rV)/k mod q; 

d) Sending from the prover device to the verifier device the signature {r ,s}; 

e) Computing by the verifier device w ~ s -1 mod q; 

55 • f) Computing by the verifier device u1 = m w i?mod q; 

g) Computing by the verifier device u2 = r w iJ mod q; 

h) Computing by the verifier device v1 = g u, D u1 " 1 mod p; 

i) Computing by the verifier device v2 = y^D" 2 " 1 mod p; 

8 
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h) Computing by the verifier device v3 = v1\2 + D mod p; 
j) Checking by the verifier device that v3 = r mod q. 

Method according to claim 6, characterized In that steps b) and j) are respectively replaced by: 

b) Computing by the prover device r = (g*D k_1 mod p)C"tf mod q; 

j) Checking by the verifier device that v3VC = r mod q, where C is an arbitrary constant. 

Method according to claim 6, characterized in that steps b) and j) are respectively replaced by: 
b) Computing by the prover device r = (g k D k-1 mod p)f(M)V mod q; 

j) Checking by the verifier device that v3Vf(M) = r mod q, where f(M) is a public function of the 
message to sign. 

Method according to any of claims 1 to 8, characterized In that the operations x = yP° w er D power- 1 
modulo N are done by an exponentiation procedure, the algorithmic structure of which is: 

Accuml = y 
x = 1 

While (power not equal 0) 
f 

Accuml = Kernel (Accuml , Accuml) 

If powertO) == 1 then x = Kernel ( x Accuml ) 

ShiftToTheRight (power ) 

) 

Return(x) 
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